A word on XDocCrypt/Dorifel/Quervar

I'm sure everyone has heard by now about the so called XDocCrypt/Dorifel/Quervar malware.

It has mostly damaged machines in The Netherlands, but reports have come in from other countries (including the United States) as well. I myself have seen this infection on 08/08/2012, my initial thought was: ransomware. However, there isn't any message displayed, so it's either a failed ransomware attempt or the malware simply wants to annoy users.

This virus infects Office files, reverses the extension and adds “.scr” behind it (this is also known as the RTLO unicode hole, which makes it easy to hide the original file extensions. - I remember a blogpost from not too long, about this hole targeting users of the Arabic language, let me know if you find it - ). Renaming does not solve the issue, you cannot open the documents.



Office files affected by the malware


As is depicted in the figure above, Word and Excel files have their extension reversed, so now the files appear to be .scr files, which is the format for a Screensaver. The .jpg file is not affected in any way.

The files are encrypted with RC4, which is a very common encryption algorithm in the cryptography. SurfRight has developed a tool to decrypt (and recover) your files:
Dorifel decrypter



The malware has probably been downloaded by the Citadel or Zeus (aka Zbot) malware.


Zeus sample:

remyf.exe
Result: 12/42
MD5: 30e7785cb9eafcea34fe930631fbba07
VirusTotal Report
Anubis Report



Let's take a look at a few Dorifel samples:

Acquisit.exe
Result: 15/42
MD5: d913394b8011b317f6d916507ffb7f2f
VirusTotal Report
Anubis Report


gis-woz4_v8.exe
Result: 12/42
MD5: a311cd6f67cb112cba78a27b87320fc3
VirusTotal Report
Anubis Report


DGRAYP.exe
Result: 24/42
MD5: f05f4f5be8431f746e59fe409a0b9bb1
VirusTotal Report
Anubis Report


Y6TK9B.exe
Result: 11/42
MD5: c1fa3618d7b54ab6a7a25857d7b30b3c
VirusTotal Report
Anubis Report



The malware tries to connect to one of the following IP addresses:
184.82.162.163 - IPvoid result
184.22.103.202 - IPvoid result


Where it will attempt to download the following file:

a.exe
Result: 13/42
MD5: 493887a87cd95b004f9ffbbaaecd1ac6
VirusTotal Report
Anubis Report



I haven't taken an in-depth look at it, but besides encrypting your Office files, I have seen the malware will kill itself when you open up Task Manager. Not sure what the point is there. It also doesn't seem to start up again automatically.

It does create an .lnk file to the dropped malware and puts that as an autorun entry, so it will start every time the machine starts.



Conclusion

The infection vector (how it spreads) is via phishing or spam email, so as usual:

- Don't open attachments from unknown senders - ever.
- Some antivirus already detected Dorifel generically, so update your antivirus.

- If you're in a corporate network, use a strong spamfilter. It will prevent a lot of troubles if correctly configured.
- Educate your users: raise the general awareness. Not even a spamfilter stops 100% of all the spam, there's always a chance something slips through.




Thanks to @erikremmelzwaal from Medusoft for most of the samples.

External sources:

• http://blog.fox-it.com/2012/08/09/xdoccryptdorifel-document-encrypting-and-network-spreading-virus/
• http://www.damnthoseproblems.com/?p=599

Scan from a Hewlett-Packard ScanJet

I received several mails recently that my document was scanned and sent to me.

Subjects may be (there are many variants where the number differs):

Re: Scan from a HP ScanJet #920330420
Fwd: Re: Scan from a Hewlett-Packard ScanJet 02872405

That notification is great, besides for the fact I didn't scan anything:


You received your document !

The text reads:

Attached document was scanned and sent
to you using a Hewlett-Packard I-25625SL.
SENT BY : ORPHA
PAGES : 4
FILETYPE: .DOC [Word2003 File]

Classical social engineering trick: they let you believe the file is a Word document. If we open the ZIP-archive, we can clearly see it's just an EXE file. Did they forget to change the icon for a Word icon perhaps ?



The filetype is clearly an application, not a Word document



Let's see some more information about this file:

HP_Scan_N989397452.exe
Result: 18/41
MD5: e187763c92e2acc6bb1c804309ebb381
VirusTotal Report
ThreatExpert Report
Anubis Report


The file tries to phone home to 78.46.64.17 - to fetch instructions - which seems to be part of the Feodo botnet. - IPvoid result

In case you're wondering, the mails were sent by the Cutwail spam botnet. Some example IPs:
190.43.118.189 - IPvoid result
211.221.155.211 - IPvoid result




Conclusion

Pretty simple. Never open any emails from unknown senders, and certainly not attachments.

itunes Media Player

Itunes is a prevailing media player. It is worn for singing, downloading, save and classify digital composition and video collection on desktop and notebook PC. It knows how to participate every part of your digital composition and videos. It be capable of also deal with stuffing on  iphone, ipod lay a hand on and I pad procedure. ITunes is a appealing highly developed appliance that’s not very in a little despite the fact that a dreadfully excellent media player, however also a grand ipod and Iphone supervisor. Itunes make possible to you do everything what’s you would like by way of your widget, together with sponsor up, bringing together, drop a line to executive and the largest part significantly from the apple store. By means of iTunes you enhanced your documents with an superfluous outlook that attach album artwork somewhere there’s extent as an alternative of the habitual folder name then to every song. This smartens up store screening a lot and commonly highlights the fresh and plain seems to be of the line.


This player and know how to play your videos and tune is a heartbeat and facilitate you categorize playlist and store objects. iTunes has all the skin tone what you would with the exception of in a media player. ITunes was establishing by apple Inc on January 9, 2001. Now it exists for complimentary download for Mac OS X as well as Windows XP, Vista and Windows 7. Additionally, you be capable of apply it as a media entertainer as well, however it is the greatest player for all kind of people. If you want to get it then you can download from here.          

   

If you download this media player click here.....................

WinX DVD Player

WinX DVDPlayer is a very powerful and completed DVD Player. It is a full featured and comfortable to apply DVD, Video CD, Audio-CD and medium folder entertainer, the player featured volume, play speed and brightness control for movies. WinX DVD Player has all functions that you would expect of a DVD playerand is controlled via the floating toolbar or by right-clicking on the screen it self. WinX DVD Player is very complete utility that not only plays DVDs but also you can play a large number of configure; DivX, XVID, MPEG, AVI those integrated on the valid media suite and many more.

So, you can use basic tools, such as play, silence, start again, level modification, after that earlier pathway, in addition to plot a course back and forth within a video. This application is gain most popularity is day by day. Besides, WinX DVD player supports most popular video and audio format including IFO, DAT, AVI, VOB, MPEG, WMV, ASF, RMVB, DIVS and more. It also provides you more alternative to indicate, such as photo percentage, screenshots, audio control etc. Unfortunately, you can not download actual resisted file without payment, but you can download UN resisted file in free way. This application size is very little but, it is very powerful. Above all, WinX DVDplayer is a good tool for viewing videos and listing audio.

If you download this DVD player click here……

Winamp Media player

Winamp is a Media entertainer for windows. It is urbanized by Justin Franke. Winamp is a perfectly Freeware and Shareware software. It is suitable for auditory live. Winamp chains harmony playback by means of MP3, MIDI, MOD, MPEG-1, auditory layer 1 and 2, AAC, M4A, FLAC, WAV and WMA. Winampknow how to play and importation music on or after audio CDs. Winamp also sustain playback of windows media videotape and Nullsoft streaming video. The Download and set up progression of winamp media player is extremely trouble-free. Moreover, Winamp wires loads of types of streaming media; Internet broadcasting, Internet television, XM satellite radio, AOL video, playing go fishing content, Podcasts and RSS media supplies. It also has extendable sustain for manageable media players and users know how to admission their media libraries any wherever by the use of Internet links. 

The client boundary retains the feature that finished Winamp one of the most admired application all over the earth. Winamp is attuned with the mainstream of multimedia documents out there and at some stage in our tests we didn’t run into any troubles while playing all the documents we had on our PC. Winamp audio player might have been in the region of everlastingly, but it hasn’t been not here in the rear and is a wholly feature music Player that’s in reality customizable. It is a excellent unusual to itunes. Winamp’s attractiveness is ever-increasing day by day. So you be able to apply this software without doubt.          

If you download this player click here……